refactor: remove character whitelisting (#7)

EsadCetiner · Jun 4, 2024 · 6078a19 · 6078a19
1 parent 8697fd4
commit 6078a19
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 114 deletions.
diff --git a/plugins/iredadmin-rule-exclusions-before.conf b/plugins/iredadmin-rule-exclusions-before.conf
@@ -17,52 +17,26 @@
 SecRule TX:iredadmin-rule-exclusions-plugin "@eq 0" "id:9521010,phase:1,pass,nolog,ctl:ruleRemoveById=9521100-9521999"
 
 #
-# [ Cookies ]
+# [ General rule exclusions ]
 #
 
 # Fix iRedAdmin session cookie false positive
-# This rule exclusions is always applied regardless of the URI path since clients will always send this cookie
-# for the domain it was issued on
-SecRule REQUEST_COOKIES:iRedAdmin-MYSQL "@rx ^[a-z0-9]+$" \
+# This rule exclusions is always applied unconditionally since clients will always send this cookie
+# for the domain it was issued on, regardless of the URL path.
+SecRule REQUEST_FILENAME "@unconditionalMatch" \
     "id:9521100,\
     phase:1,\
     pass,\
     t:none,\
     nolog,\
+    ctl:ruleRemoveTargetById=932236;REQUEST_COOKIES:iRedAdmin-LDAP,\
+    ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:iRedAdmin-LDAP,\
     ctl:ruleRemoveTargetById=932236;REQUEST_COOKIES:iRedAdmin-MYSQL,\
     ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:iRedAdmin-MYSQL,\
-    ver:'iredadmin-rule-exclusions-plugin/1.0.1'"
-
-# Fix iRedAdmin session cookie false positive
-# This rule exclusions is always applied regardless of the URI path since clients will always send this cookie
-# for the domain it was issued on
-SecRule REQUEST_COOKIES:iRedAdmin-PGSQL "@rx ^[a-z0-9]+$" \
-    "id:9521101,\
-    phase:1,\
-    pass,\
-    t:none,\
-    nolog,\
     ctl:ruleRemoveTargetById=932236;REQUEST_COOKIES:iRedAdmin-PGSQL,\
     ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:iRedAdmin-PGSQL,\
     ver:'iredadmin-rule-exclusions-plugin/1.0.1'"
 
-# Fix iRedAdmin session cookie false positive
-# This rule exclusions is always applied regardless of the URI path since clients will always send this cookie
-# for the domain it was issued on
-SecRule REQUEST_COOKIES:iRedAdmin-LDAP "@rx ^[a-z0-9]+$" \
-    "id:9521102,\
-    phase:1,\
-    pass,\
-    t:none,\
-    nolog,\
-    ctl:ruleRemoveTargetById=932236;REQUEST_COOKIES:iRedAdmin-LDAP,\
-    ctl:ruleRemoveTargetById=942450;REQUEST_COOKIES:iRedAdmin-LDAP,\
-    ver:'iredadmin-rule-exclusions-plugin/1.0.1'"
-
-#
-# [ General rule exclusions ]
-#
-
 # iRedAdmin displays domain names inside the request uri, domains most commonly end in .com which triggers 920440.
 SecRule REQUEST_FILENAME "@rx ^/iredadmin/.+\.(?:com|inc)$" \
     "id:9521110,\

diff --git a/tests/regression/iredadmin-rule-exclusions-plugin/9521100.yaml b/tests/regression/iredadmin-rule-exclusions-plugin/9521100.yaml
@@ -39,3 +39,71 @@ tests:
             version: HTTP/1.1
           output:
             no_log_contains: id "932236"
+  - test_title: 9521100-3
+    desc: Disable 942450 for iRedAdmin-PGSQL cookie
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: iRedAdmin rule exclusions plugin
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              cookie: iRedAdmin-PGSQL=0x86dd
+            port: 80
+            method: POST
+            uri: /post
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "942450"
+  - test_title: 9521100-4
+    desc: Disable 932236 for iRedAdmin-PGSQL cookie
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: iRedAdmin rule exclusions plugin
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              cookie: iRedAdmin-PGSQL=ls
+            port: 80
+            method: POST
+            uri: /post
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932236"
+  - test_title: 9521100-5
+    desc: Disable 942450 for iRedAdmin-LDAP cookie
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: iRedAdmin rule exclusions plugin
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              cookie: iRedAdmin-LDAP=0x86dd
+            port: 80
+            method: POST
+            uri: /post
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "942450"
+  - test_title: 9521100-6
+    desc: Disable 932236 for iRedAdmin-LDAP cookie
+    stages:
+      - stage:
+          input:
+            dest_addr: 127.0.0.1
+            headers:
+              Host: localhost
+              User-Agent: iRedAdmin rule exclusions plugin
+              Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
+              cookie: iRedAdmin-LDAP=ls
+            port: 80
+            method: POST
+            uri: /post
+            version: HTTP/1.1
+          output:
+            no_log_contains: id "932236"
diff --git a/tests/regression/iredadmin-rule-exclusions-plugin/9521101.yaml b/tests/regression/iredadmin-rule-exclusions-plugin/9521101.yaml
diff --git a/tests/regression/iredadmin-rule-exclusions-plugin/9521102.yaml b/tests/regression/iredadmin-rule-exclusions-plugin/9521102.yaml